cs475: lecture 1 computer and network securitygreenie/cs475/cs475-14-01.pdf · security: whole...
TRANSCRIPT
![Page 1: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/1.jpg)
CS475: Lecture 1Computer and Network
SecurityRachel Greenstadt
January 7, 2013
Wednesday, January 29, 14
![Page 2: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/2.jpg)
Introductions
• Your name
• Year at drexel
• Why interested in Computer Security and CS 475?
• Something else interesting about you
Wednesday, January 29, 14
![Page 3: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/3.jpg)
High Level Information
• Instructor: Rachel Greenstadt
• Office: UC 140
• Office Hours (Wednesday 2-3 pm)
• Feel free to email or stop by
• Course website
• http://www.cs.drexel.edu/~greenie/cs475/
Wednesday, January 29, 14
![Page 4: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/4.jpg)
Overview
• Current Events in “Computer and Network Security” (far from complete)
• About CS 475
• Security Reviews
Wednesday, January 29, 14
![Page 5: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/5.jpg)
Computer security is an oxymoron
• We like to talk about crypto --- it’s the only thing we’ve got that really works
• Software is not secure
• Networks are not secure
• Trust infrastructures are not secure
• And users...well....I think I might have a bank in Nigeria to sell to you
Wednesday, January 29, 14
![Page 6: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/6.jpg)
The Internets are Broken: SSL
How ssl web securityis supposed to work
Wednesday, January 29, 14
![Page 7: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/7.jpg)
Creating a Rogue CA
Wednesday, January 29, 14
![Page 8: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/8.jpg)
How to Create a Rogue CA
• 2008 : Break hashing algorithm used to sign the CA cert (MD5 in this case) or break DNS
• 2009 : Buy cert for *\0.domainI0wn.com, results in cert for * due to pascal vs C string confusion
• 2011 : Break into a CA or someone who has signing capacity (DigiNotar/Comodo)
• 2013 : “Lucky 13” attacks, bypass SSL by breaking cookie authentication (also BEAST, CRIME, TIME)
Wednesday, January 29, 14
![Page 9: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/9.jpg)
But then again, why bother?
Wednesday, January 29, 14
![Page 10: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/10.jpg)
Crypto is hard: Debian
• The following lines were removed from md_rand.c
• valgrind and purify (useful debugging tools) complained about uninitialized memory
• As a result, randomness in debian generated keys (SSL and SSH) was reduced to 15 bits (32,768 unique keys) and cryptographic ops were suspect
MD_Update(&m,buf,j);[ .. ]MD_Update(&m,buf,j); /* purify complains */
Wednesday, January 29, 14
![Page 11: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/11.jpg)
More Recently: RSA
• Lenstra et al
• Of 6.6 million distinct X.509 certificates and PGP keys (cf. [1]) containing RSA moduli, 0.27 million (4%) share their RSA modulus, often involving unrelated parties. Of 6.4 million distinct RSA moduli, 71052 (1.1%) occur more than once, some of them thousands of times.
• Heninger et al
• Remote compromise of 0.4% of keys. Due to poor random number generation. Affects various kinds of embedded devices such as routers and VPN devices, not full-blown web servers
Wednesday, January 29, 14
![Page 12: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/12.jpg)
The foundation is rather shaky
• 2013 saw major breakthroughs in some discrete log
• And also some cases of NSA mucking with crypto standards (ECC-based PRNG)
Wednesday, January 29, 14
![Page 13: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/13.jpg)
Release Engineering is Hard: Windows
• Flame broke into computers, spied on audio, keystrokes, etc.
• 2012.06.03 Microsoft “We recently became aware of a complex piece of targeted malware known as `Flame' and immediately began examining the issue...We have discovered through our analysis that some components of the malware have been signed by certificates that allow software to appear as if it was produced by Microsoft.”
Wednesday, January 29, 14
![Page 14: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/14.jpg)
CVE vulnerabilities
• ~5,000 per year since 2005
• 1700-3000 high severity (remote system compromise without user action)
• Not to mention governments hoarding and using 0-days
Wednesday, January 29, 14
![Page 15: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/15.jpg)
Web 2.0 is a sewerInternet users can be infected simply by viewing a compromised website.
Wednesday, January 29, 14
![Page 16: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/16.jpg)
Data Protection doesn’t exist
• Data aggregators compile in-depth dossiers on everyone
• Choicepoint sold 163,000 record to identity thieves in 2005
• Often this data is lost, stolen, or misused
• See Petraeus, David
• Privacy Rights Clearinghouse documents the loss of 246,134,559 sensitive records since 2005
Wednesday, January 29, 14
![Page 17: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/17.jpg)
Not to mention the other dossiers...
• Microsoft. Yahoo. Google. Facebook. PalTalk. AOL. Skype. YouTube. Apple => NSA
• Also, Verizon, AT&T, other telcos...
Wednesday, January 29, 14
![Page 18: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/18.jpg)
Privacy in Apps?
• iOS plaintext file keeping track of fine-grained location info
• Malicious apps accessing address books, making premium phone calls, sending text messages to pay services
• How many of you pay attention to permissions on apps you download?
Wednesday, January 29, 14
![Page 19: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/19.jpg)
SQL Injection
Wednesday, January 29, 14
![Page 20: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/20.jpg)
Govt Oppression 2.0
• Countrywide censorship via deep packet inspection, MiTM - Iran, China, Burma, etc
• But also US, Germany, Aus, UK, etc
• US companies leading the way
• Info warfare - Russia/Estonia 2007
Wednesday, January 29, 14
![Page 21: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/21.jpg)
Why are things so bad?• Economists will tell you that the optimal number
of plane crashes is > 0
• Indirect losses and externalities
• “Ship it today, get it right by version 3”
• Features too far ahead of security
• Failure of software eng field to be competent
• Monoculture
• Lack of security metrics
Wednesday, January 29, 14
![Page 22: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/22.jpg)
Or maybe it’s just the Internet [Lampson]
• Attack from anywhere
• Sharing with anyone
• Automated infection
• Hostile code
• Hostile physical environment
• Hostile hosts
Wednesday, January 29, 14
![Page 23: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/23.jpg)
The Malware Economy• Revenue sources: SPAM, phishing, stolen data (credentials, game items)
• Revenue conversion: money mules
• Enabled by: Botnets of infected machines
• Enabled by: Infection vectors: Drive-by-downloads, email attachments, removable media
• Enabled by: Automated exploit packs (mpack, etc)
• Enabled by: Malware writers
• Enabled by: Exploit writers
• Enabled by: Software vulnerabilities/bad release engineering
Wednesday, January 29, 14
![Page 24: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/24.jpg)
What type of access to a computer overrides all security measures?
Wednesday, January 29, 14
![Page 25: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/25.jpg)
About CS 475• This class is in Beta
• Considerable revamp this year
• Bug reports welcome (not exploits :) )
• This class is not comprehensive
• This class is meant to be challenging, but fun
Wednesday, January 29, 14
![Page 26: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/26.jpg)
Inspirations and Acknowledgements
• This class is based in part on
• Jeremy Johnson’s CS 475
• Dan Boneh’s CS 155
• Yoshi Kohno’s CSE 484
• Ron Rivest’s 6.857
• Radia Perlman’s CS 243
Wednesday, January 29, 14
![Page 27: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/27.jpg)
What will we cover?
• Applied security topics, network and software attacks/defenses
• The “security mindset”
• Applied cryptography
• Economics/usability/privacy/AI
Wednesday, January 29, 14
![Page 28: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/28.jpg)
Prerequisites
• Learning on the fly - OK if you know what you’re getting into
• C, x86 and stack basics, network socket programming, some Java, operating system principles and machine organization, Unix clue and related software engineering tools, Math (algorithms, probability, exponentiation/modular arithmetic, proofs), critical and devious thinking skills
Wednesday, January 29, 14
![Page 29: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/29.jpg)
Grading
• Quizzes 3 x 15%
• Projects 1 and 2: 2 x 10%
• Project 3: 20%
• Homeworks and participation 15%
Wednesday, January 29, 14
![Page 30: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/30.jpg)
Late Submission Policy
• Turn in work on time
• Late assignments will be dropped 20% per day
• No make up exams
Wednesday, January 29, 14
![Page 31: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/31.jpg)
Cheating Policy
• New department-wide cheating policy
• When in doubt, err on the side of transparency
• list collaborators and sources
• if you wonder if it’s ok, ask
Wednesday, January 29, 14
![Page 32: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/32.jpg)
ProjectsDone in Groups of 2-3
• Project 1 : Application Security
• Project 2 : Cryptography
• Project 3 : Secure Group Chat
Wednesday, January 29, 14
![Page 33: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/33.jpg)
Security: Whole System is Relevant
• Security requires a whole-system view
• Cryptography
• Implementation
• People
• Physical Security
• Everything in between
• “Security is only as strong as the weakest link”
• Many places to fail
Wednesday, January 29, 14
![Page 34: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/34.jpg)
Security Properties
• Confidentiality
• Integrity
• Authenticity
• Availability
Wednesday, January 29, 14
![Page 35: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/35.jpg)
Wednesday, January 29, 14
![Page 36: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/36.jpg)
Wednesday, January 29, 14
![Page 37: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/37.jpg)
Wednesday, January 29, 14
![Page 38: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/38.jpg)
Wednesday, January 29, 14
![Page 39: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/39.jpg)
Analyzing the Security of a System: Part 1
• First thing : Summarize the system clearly and concisely
• Absolutely critical
• Can’t summarize, how can you analyze? Ask:
• What are the systems’ goals?
• How does the system achieve them?
• Who are the players/stakeholders?
• What are their incentives?
Wednesday, January 29, 14
![Page 40: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/40.jpg)
Analyzing the Security of a System: Part 2
• Subsequent steps
• Identify assets: What do you wish to protect
• Identify adversaries and threats
• Identify vulnerabilities
• Calculate the risks
• Evaluate controls/mitigation strategies
• Iterate
Wednesday, January 29, 14
![Page 41: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/41.jpg)
Assets• Need to know what you are protecting!
• Hardware: Laptops, servers, routers, PDAs, phones, ...
• Software: Applications, operating systems, database systems, source code, object code, ...
• Data and information: Data for running and planning your business, design documents, data about your customers, data about your identit
• Reputation, brand name
• Responsiveness
• Assets should have an associated value (e.g., cost to replace hardware, cost to reputation, how important to business operation)
Wednesday, January 29, 14
![Page 42: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/42.jpg)
Adversaries• National governments
• Terrorists
• Thieves
• Business competitors
• Your supplier
• Your customer
• New York Times
• Your family members (parents, children)
• Your friends
• Your ex-friends
• ...
Wednesday, January 29, 14
![Page 43: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/43.jpg)
Threats: What not HowVoting Machine Example
• Threats are actions by adversaries who try to exploit vulnerabilities to damage assets
• Spoofing identities: Attacker pretends to be someone else
• Tampering with data: Change outcome of election
• Denial of service: Attacker makes voting machines unavailable on election day
• Elevation of privilege: Regular voter becomes admin
• Specific threats depend on environmental conditions, enforcement mechanisms, etc
• You must have a clear understanding of how the system works
Wednesday, January 29, 14
![Page 44: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/44.jpg)
Classifying Threats• By damage done to the assets
• Confidentiality, Integrity, Availability
• By source of attacks
• (Type of) insider
• (Type of) outsider
• Local attacker
• Remote attacker
• Attacker resources
• By the actions
• Interception
• Interruption
• Modification
• Fabrication
Wednesday, January 29, 14
![Page 45: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/45.jpg)
Wednesday, January 29, 14
![Page 46: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/46.jpg)
Identify Vulnerabilities or Weaknesses
• How things can go wrong, not what
• Weaknesses of a system that can be exploited to cause damage
• Accounts with system privileges where the default password has not been changed (Diebold: 1111)
• Programs with unnecessary privileges
• Programs with known flaws
• Known problems with cryptography
• Weak firewall configurations that allow access to vulnerable services
• ...
Wednesday, January 29, 14
![Page 47: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/47.jpg)
Risk Analysis• Quantitative Risk Analysis
• Expected Loss = ValueOf(Asset) * Prob(Vulnerability) * Prob(Threat)
• Hard to assign ValueOf (monetary?) and Probabilities
• Qualitative Risk Analysis
• Assets: Critical, very important, important, not important
• Vulnerabilities: Has to be fixed soon, should be fixed, fix if convenient
• Threats: Very likely, likely, unlikely, very unlikely
• Which of the attacks we discussed Thursday were a result of getting this wrong?
Wednesday, January 29, 14
![Page 48: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-14-01.pdf · Security: Whole System is Relevant • Security requires a whole-system view • Cryptography • Implementation](https://reader030.vdocuments.us/reader030/viewer/2022040511/5e5b761dc2bacc091164a904/html5/thumbnails/48.jpg)
Homework 1
• Due Jan 15
• Security review of WhatsApp
Wednesday, January 29, 14